Maximizing C-I-A
IT auditors commonly look at risks in three aspects: operational risks, asset risks, and financial reporting risks. Operational risks are associated with the operations of the entity, especially regarding its information systems and underlying technologies. Asset risks are associated with the loss or damage to assets. Since data are valuable assets, they are included in that aspect of risk assessment. Financial reporting risks involve risks that could cause errors or fraud in the financial reporting data, especially those of material nature. When looking at these risks through the workstation lens, it is important to consider how the data are kept confidential and data integrity is maintained while the workstation services remain available.
The overall purpose of compliance requirements is to enforce the basic pillars or tenets of security. Although some compliance requirements might seem to be unnecessary, they all should work together to support the C-I-A properties of secure systems. As a review, here are the three tenets of information security:
-
Confidentiality—Assurance that the information cannot be accessed or viewed by unauthorized users
-
Integrity—Assurance that the information cannot be changed by unauthorized users
-
Availability—Assurance that the information is available to authorized users in an acceptable time frame when the information is requested
Figure 9-3 shows the C-I-A triad.
FIGURE 9-3 C-I-A Triad
Notice that a central theme of the C-I-A properties is the difference between authorized and unauthorized users. The identification, authentication, and authorization process you learned about in the previous section provides the foundation for securing information in any domain. Maximizing the C-I-A properties is all about ensuring authorized users can access trusted data and unauthorized users cannot.
Maximizing Availability
Secure information serves the purpose for which it was created. Secure information must be available when the information is requested. This requirement means that information should be available during normal processing but also during and after unusual events. Unusual events include minor events, such as short-term power outages, up to major disruptions and disasters. Two fundamental areas in the Workstation Domain can affect availability:
-
Surviving power outages
-
Executing a solid backup and recovery strategy
You should address each area when you create Workstation Domain controls.
Surviving Power Outages
The easiest way to ensure your computers and devices can continue operating in the event of a power outage is by using a UPS. The first step in implementing the right UPS is to list each of the computers and devices you want to protect. Consider any supporting devices you’ll need along with computers. For example, if you want to be able to stay online during a power outage, you’ll need to ensure you connect any network access devices to the UPS as well. Once you have a list of all devices, add up the power requirements for all devices you’ll attach to the UPS. Then search UPS manufacturers for a UPS that will satisfy your service and power requirements. An Internet search is a good place to start.
Backup and Recovery Strategy
A UPS is fine to keep your computers up and running when the power goes out for a few minutes, but what do you do in case of a disaster? What happens to the programs and data on your Workstation Domain computers if a fire in your office destroys the computers? Fire is only one type of disaster your computers might encounter. Information that burns up in a fire or is destroyed in a flood is not available when you need it. Because the information isn’t available in this situation, it isn’t very secure.
You must have a plan to periodically create secondary copies of your important information. This secondary copy is often called a backup. Creating a backup copy of information is important, but it is only one step in a plan to ensure availability. The real key to ensuring availability is to have a plan for restoring your information to the state in which it existed before a disaster. Your backup and recovery strategy should include the following:
-
Backup plan—This plan creates frequent backup copies of important files. This plan includes identifying the files you need to back up, deciding on which backup utility to use, and setting a schedule for creating backups.
-
Safe media storage plan—This plan protects your backup copies, including procedures for transporting backup media to a protected location. In most cases, you want to keep copies of your important information in remote locations to keep them safe from disasters that might affect your primary office. Consider keeping backup copies far enough away from your primary office that a disaster won’t affect them. For example, a flood or earthquake can affect a large area. You may need to store backup copies far away, even in a different geographic region.
-
Restore plan—This plan uses the backup media to restore your environment to working order. This is often the plan people overlook. You need backups, but you also need a plan that tells how to use the backups to rebuild a working system.
The most important aspect of ensuring availability is to plan for situations that might disrupt your organization’s activities and know what to do in those instances. Plan ahead, and you won’t likely be caught not knowing what to do when a disaster strikes.
Maximizing Integrity
The term malware refers to a collection of different types of software that share the goal of infiltrating a computer and making it do something. In many cases, malware does something undesired and operates without the explicit consent of the owner. This is not always the case, however. Some types of malware are downloaded and installed with the owner’s full knowledge. Malware can be loosely divided into two main categories: programs that spread or infect and programs that hide.
Programs that spread or infect actively attempt to copy themselves to other computers. Their main purpose is to carry out instructions on new targets. Malware of this type includes the following:
-
Virus—A software program that attaches itself to or copies itself into another program for the purpose of causing the computer to follow instructions that were not intended by the original program developer is called a virus.
-
Worm—A self-contained program that replicates and sends copies of itself to other computers, generally across a network, is called a worm.
Other malware hides in the computer to carry out its instructions while avoiding detection. Malware that tends to hide includes the following:
-
Trojan horse—Software that either hides or masquerades as a useful or benign program is called a Trojan horse.
-
Rootkit—Software that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised is called a rootkit.
-
Spyware—Software that covertly collects information without the user’s knowledge or permission is called spyware.
Understanding these five basic types of malware and how to protect your systems from them is important to a solid security plan. You install anti-malware software to protect Workstation Domain computers. There are many anti-malware software products from which you can choose. Carefully review suppliers and their products for costs, functionality, and support. The best place to look for specific anti-malware for your operating system is the Internet. Use an Internet search engine to search for “anti-virus software” and “anti-spyware software.”
After you decide on one or more anti-malware products, you must develop procedures to ensure the products and their signature databases are kept up to date. With new viruses, worms, and Trojan horses being released every day, it is important that your software be kept current to recognize as many new threats as possible. Up-to-date anti-malware software can help make your Workstation Domain computers more secure and able to ensure information integrity.
Maximizing Confidentiality
Because Workstation Domain computers may store sensitive or private information, it is important to protect the information from disclosure to unauthorized users. Two methods are commonly used to protect information confidentiality. Access controls can help ensure that unauthorized users cannot access protected objects. The easiest way to deny access to anyone other than authorized users is through access permissions. If you grant read and write access only to authorized users, the operating system ensures the information’s confidentiality. Regardless of your choice of access control methods, you can assign user accounts to enforce confidentiality.
There is a drawback to using operating system access controls. It is possible for an attacker with physical access to a computer to boot the computer using alternate boot media. Most Workstation Domain computers have USB ports and CD/DVD drives. Either of these can support booting. If you insert a bootable CD/DVD or USB drive, many computers will boot from the alternate devices instead of the internal disk drive.
Booting from alternate boot media makes it easy to access files directly from the disk. If you boot from a CD/DVD or USB drive, you can bypass the operating system access controls and access any files you want. So, operating system access controls don’t fully protect the confidentiality of your information. To protect private information at all times, you need to protect it even when the operating system isn’t running. Only encryption provides that much protection.
Encrypting data makes them unreadable to everyone without the decryption key. You can encrypt all sensitive information and provide the decryption key only to authorized users. Attackers can still boot your computer using alternate media; however, they will see only encrypted files and will be unable to read their contents.